Some`GetAtt`able attribute are not marked as such

[rix0rrr]

The CFN Registry Schema

The CloudFormation Registry schema is a Control Plane schema, that defines resources with properties. Some properties are configurable by the user (BucketName, Timeout, etc), and some properties are not configurable by the user (Arn, KeyId).

In the CloudFormation Registry schema, properties that are not configurable by the user are marked as readOnlyProperties.

CloudFormation

CloudFormation is an IaC engine that can orchestrate the creation of AWS resources by means of a template. In that template, values for configurable resource properties can be specified in a Properties: block. Equally, certain values can be read from a resource by specifying a { Fn::GetAtt } intrinsic. For example, the Arn property of a Bucket can be read by writing { "Fn::GetAtt": [MyBucket, Arn] }.

It's not possible to read all properties this way, just a limited subset that is different for each resource. (Motivation: If arbitrary anytime-mutable properties could be GetAtted, it would become extremely expensive to calculate the changeset, so CloudFormation specifically does not allow it. )

The issue

Now here comes the important bit:

• In CloudFormation, certain properties can be both configured as well as read.
  • For example, an EC2::Subnet's VpcId can both be configured in Properties, as well as retrieved using { "Fn::GetAtt": [MySubnet, VpcId] }.
• The CFN Registry Schema has no way to express this! The property is not ReadOnly, so it would be incorrect to put it inside readOnlyProperties.

The CFN Registry Schema is not intended to describe CloudFormation behavior, hence it does not have a way to describe the attributes that can be { Fn::GetAtt }ed, and it will never have a way to describe that.

Yet, in order to generate valid CloudFormation templates, the spec does need a way to describe the properties and attributes of each resource. So we need an additional datasource.

The set of { GetAtt }'able properties will always be at least the set of readOnlyProperties, as well as a set of additional properties that can be both configured as well as { GetAtt }ed.

We currently already mark readOnlyProperties as attributes, but don't have the additional set of writable+readable properties yet.

The solution

CloudFormation currently has an exception list for 87 properties that can be GetAtt'ed with the same name as properties, and will not accept new ones in the future.

We add this additional list as an enhanced data source, and add those into the spec as attributes.

Going forward, new GetAttable properties will be added to readOnlyProperties only, so we will automatically keep up with extensions.

Information on where to find the list of GetAttable properties: internal reference D139308277

[rix0rrr]

Another instance of it being unclear what is GetAtt'able:

• Most of the time the primary identifier is NOT GetAttable.
• But sometimes it is.

And there's no clear way for the schema to tell the difference.

Example: AWS::AppMesh::Route

{
  "primaryIdentifier" : [ "/properties/Id" ],
  "readOnlyProperties" : [ "/properties/Id", ... ]
}

Id is the primary identifier and it CANNOT be GetAtted

Example: AWS::CloudFront::Distribution

{
  "primaryIdentifier" : [ "/properties/Id" ],
  "readOnlyProperties" : [ "/properties/Id", ... ]
}

Id is the primary identifier and it CAN be GetAtted